Beyond
strengthening authentication, firms must also implement continuous monitoring
to detect suspicious activity after users have logged in. Automated systems
should monitor behavioural patterns, identify unusual login activity, detect
simultaneous logins from different locations, and flag unusually large or rapid
requests to withdraw funds or digital assets.
To support
these controls, firms should immediately notify clients through secure, non-SMS
channels whenever critical account changes occur. These alerts should be
triggered automatically following high-risk events such as password changes,
updates to banking details, or requests to register a new device.
Finally,
intermediaries must maintain effective incident response procedures, including
the ability to freeze compromised accounts immediately to prevent unauthorized
transfers of funds or assets. In the event of a confirmed security breach or
unauthorized access, firms are also required to report the incident to the SFC
without delay, supporting both regulatory compliance and broader threat
intelligence sharing.
| Authentication Class | Vulnerability to AiTM Phishing | SFC Compliance Status | Technical Operating Principle |
| SMS / Email OTP | High (Susceptible to real-time reverse
proxy interception) | BANNED
for login and binding | Symmetric
shared secrets transmitted over unencrypted communication channels. |
| App-Based
TOTP (e.g., Google Authenticator) | Medium-High (Can be mirrored and inputted via
proxy) | Restricted / Discouraged | Time-synced
cryptographic tokens reliant on shared seed keys. |
| Device Binding | Negligible | APPROVED | Unique
hardware signature linkage and possession verification. |
| Passkeys (FIDO2) | Zero | MANDATED STRATEGY | Asymmetric
public/private key verification bound directly to the verified domain origin. |